We have a CMS system in which multiple customers run their websites from a single virtual machine. Pages generated by the CMS allow forms to be filled in, which trigger emails to be sent. I am having trouble working out how to properly configure SPF record(s) so that emails will not be flagged as spam. From what I can work out, if we are hosting three customer domains:
customer1.com
customer2.info
customer3.co.uk
All on a machine called my-cms-uk.com
Then I need to add an SPF record for all three customer domains and also my-cms-uk.com, which all specify the IP of my-cms-uk.com as being allowed to send emails for that domain? I am not sure whether I need to add an SPF for the machine's FDQN as well.
I have tried Googling but cannot find a clear explanation of setting up SPF for multiple domains. The SPF records I am trying with specify the IP of the host, e.g.
"v=spf1 ip4:111.22.33.444 mx ~all"
Just to confuse me more, I looked at the SMTP setup of emails sent by people using mailgun and aweber and they do not seem to have the SPF setup I was expecting. For example Cal Newport (calnewport.com) has an email list that uses aweber but calnewport.com does not have an SPF record allowing aweber as an email sender?
Best Answer
There is no connection between them, as SPF records are set per domain, not per sending host.
If several different domains each send email coming only from one host, say
mail.example.com, then each should have an SPF record likea:mail.example.com -all. Note that each makes no reference to the other domains sending frommail.example.com.It is only important that
mail.example.comhave an A record pointing to the IP address of the permitted sending host for each domain.A domain's SPF record might make reference to another domain, eg at the time of writing,
hotpoint.co.uk's SPF record isinclude:_spf.google.com ip4:46.37.28.0/24 ip4:89.119.89.27 ip4:89.119.89.28 ip4:193.104.11.3 ~all. This includes google not because google's email also comes from hotpoint's servers, but because hotpoint's mail may come from google's infrastructure. If there are no other legitimate senders for email from each of your listed customer domains besides your single server, this complication does not apply to you.Edit: if you are considering setting up SPF records, may I very strongly advise you not to bother if you're going to end them with
~allor?all(or even worse,+all)? An SPF record that doesn't end with-allcan't be used for anything, so is genuinely pointless; the internet doesn't care which hosts you say can send email from you, it cares which hosts you say cannot. Some mail admins here on SF use the presence of an SPF record without a terminal-allas a positive indicator of a spammy domain.